Tag Archives: Information Commissioner

Post navigation

On 15 November 2010 Kenneth Clarke, the Justice Secretary, announced to the House of Commons reforms to the legal aid regime that would lead, he said, to a reduction in the legal aid budget of £350 million in 2014/15 (Hansard 15 Nov 2010: Column 659). Just over a week before the Justice Secretary’s statement to the House, the Information Commissioner had issued a press notice following the Information Commissioner’s Office investigation into Google and its collection of WiFi data during its StreetView survey of the UK.

Google street view camera visits Peak District

The StreetView collection of personal data was deemed to be a serious breach of the Data Protection Act 1998, but as a result of it occurring before the Information Commissioner had power to impose monetary penalties, Google avoided a fine and was merely required to enter into an undertaking to behave itself.

Sadly for the Justice Secretary, Google breached data protection law 5 years too early. If Google had committed the same serious breach under the proposed Data Protection Regulation, which will not come into effect until 2 years (and twenty days) after the Regulation is published in the Official Journal of the European Journal, then the hole in the legal aid budget could have been plugged with ease. Article 79(6) of the draft Regulation gives supervisory authorities (the term for data protection regulators in the draft Regulation) the power to impose administrative fines of up to €1,000,000 (at the date of this post, approximately £837,890) or 2% of annual worldwide turnover.

Google, using its published 2010 audited accounts, would therefore have been liable to a maximum fine of $586,420,000 (2% of 2010 revenues of $29,321 million). At the date of this post, that is approximately £374,582,000.

Sitefinder is a web-based services that allows anyone to search any location or postcode in the UK to discover the location of any nearby mobile phone base station, together with details of the station’s operator, operating frequencies and maximum transmitter power (e.i.r.p. per channel).

Sitefinder was the subject of a request for information under the Environmental Information Regulations 2004 (“EIRs”) to Ofcom, which was refused. The applicant for the information then made an appeal to Ofcom for an internal review, who upheld the initial decision to refuse the request. The applicant then appealed to the Information Commissioner, who was minded to order the disclosure of the relevant information (Case Ref: FER0072933, 11 September 2006). This was then appealed to the Information Tribunal (now known as the First-Tier Tribunal (Information Rights)), who also ordered disclosure (EA/2006/0078, 4 September 2007). Ofcom appealed to the High Court, where the appeal was dismissed ([2008] EWHC 1445 (Admin), 8 April 2008), then to the Court of Appeal ([2009] EWCA Civ 90, 20 February 2009) and the Supreme Court ([2010] UKSC 3, 27 January 2010), who referred a question to the Court of Justice of the European Union (“CJEU”) (Case C-71/10). On 10 March 2011 Advocate General Kokott gave her opinion. Finally, the CJEU has given its decision ([2011] EUECJ C-71/10, 28 July 2011), which should lead to the case being closed.

Initial Request and Internal Review

The EIRs provide for wider access to information that falls within the wide definition of environmental information included in the EIRs, than the Freedom of Information Act 2000 (“FOIA”) permits. Consequently, the information request made by an information officer from Health Protection Scotland on 11 January 2005 requesting national datasets of the full details of each mobile phone base station within the Sitefinder database under the FOIA, was correctly processed by Ofcom (being a request for information on factors such as radiation – EIRs, reg.2.1(b)) under the EIRs. The request was made because Sitefinder itself only permits users to research details within postcode areas, with no national or regional lists or exact details of base station grid references.

As a result of the initial request and request for internal review dated 25 February 2005, a number of exemptions under EIRs came into play, particularly:

the public safety and national security exemption at reg.12(5)(a) – the public interest in safeguarding the location of all TETRA sites, and hence all police and emergency services communications, outweighed any public interest in disclosure of the sites’ data; and;

the intellectual property rights (‘IPRs’) exemption at reg.12(5)(c) – disclosure would affect the rights of the network operators. The raw national dataset could be used by competitors to discover the design of each mobile network. The IPRs in question were:

the operators’ database right in the Sitefinder database (applying the ruling in CJEU Case C-203/2 British Horseracing Board –v- William Hill, the Commissioner agreed that operators had made the necessary “substantial investment in obtaining, verifying or presenting the contents of the database” (Copyright and Rights in Databases Regulations 1997, reg 13(1)) to create a database right – Ofcom estimated that each operator took up to 50 man hours every 3 months to collate information for Sitefinder as well as 3-5 man-days per month to attend and contribute to Sitefinder policy and development groups);

copyright in the operators’ data; and

an obligation of confidence (the World Intellectual Property Organisation Convention 1967, Art. 2(viii), includes “rights relating to…works …protection against unfair competition and all other rights resulting from intellectual activity in the industrial, scientific, literary or artistic fields” – the Commissioner did not find that the appropriate obligation of confidence existed in the data supplied by the operators).

Appeal to Information Commissioner

The case was appealed to the Information Commissioner on 22 April 2005. The Commissioner considered the application by Ofcom of the EIRs, reg.12(5) exemptions, carefully applying his Awareness Guidance No. 20, which details how the Commissioner considers the adverse affect test for EIRs, re.12(5) should operate. Essentially, this is a harm test. The Guidance states: “the adverse affect test provides exceptions only in those cases where an adverse affect would arise. In other words, so far as environmental information is concerned, in order to engage an exception, some harm must be certain rather than merely likely. This is a significant difference.” As Ofcom did not present the Commissioner with evidence of harm to public safety or national security, or the operators’ IPRs, disclosure was ordered.

In coming to this view, the Commissioner took account of the balance of interests under EIRs’ cases: Recital 16 of the EU Directive on public access to environmental information (Council Directive 2003/4/EC), upon which the EIRs are based, states that exceptions must “be interpreted in a restrictive way”. It was quite possible for Ofcom to disclose the requested information subject to the operators’ database rights and copyright, so that the requester could not use the disclosed database. A public authority cannot prejudge use of disclosed environmental information. The EIRs, as with the FOIA, do not require a requester to state the purpose of the request. For both copyright and database right, it was ruled that use of the disclosed database by the requester would require a licence from the operators, which by implication they could refuse to grant.

Appeal to Information Tribunal

Ofcom appealed to the Information Tribunal on 10 October 2006, and T-Mobile was permitted by the Tribunal to be joined to the appeal on 29 November 2006. The case before the Tribunal was a messy one – it was not simply an appeal of the Commissioner’s decision. However, amongst other rulings, the Information Tribunal in considering the EIRs, reg.12(5)(b) public safety exception, did consider that there was a slightly increased risk that the disclosure of the site information requested, being more accurate than that already in the public domain, may adversely affect public safety. However, the Tribunal did not consider that this increased risk outweighed the public interest in the site information, given its importance as identified in the Stewart Report and for epidemiological investigations.

The Tribunal was also not convinced that the IPR exemption at EIRs, reg.12(5)(c) applied. The Tribunal decided that the exemption can only be applied if there is sufficient adverse effect to trigger the exemption, followed by a consideration of whether there the actual or potential harm in the disclosure is sufficiently great to outweigh the public interest in disclosure. The Tribunal considered that the test to find adverse effect should not be set with a particularly high threshold – the exemption could apply to any case where there was more than a mere technical or minimal infringement of the relevant IPR. The Tribunal considered the degree of harm that disclosure of the Sitefinder dataset would cause. For example, it considered the potential loss of revenue claimed by the operators from their inability to license their site data and the adverse effect that the disclosure of the Sitefinder information would result in the implied disclosure of each operator’s network design.

In each case, the Tribunal was not convinced that there would be actual or potential harm under each of the headings submitted by Ofcom and T-Mobile, but considered that there was sufficient adverse effect from the combination of the various factors.

The Tribunal also considered a further public interest in withholding the Sitefinder data. The operators’ had warned Ofcom that as their supply of base station data was not a statutory requirement but was made by them voluntarily, they would refuse to supply any further data if the Tribunal ruled in favour of disclosure. There was clearly a public interest in maintaining Sitefinder. The Tribunal did not consider that it could base its decision on any actual or implied threat of future non-cooperation by the operators.

In addition, the Tribunal did not accept Ofcom’s view that the EIRs required it to consider whether the aggregate public interest in maintaining the exemptions outweighed the public interest in favour of disclosure.

Appeal to the Administrative Court

In the Administrative Court the question of how to apply the EIRs exemptions was considered. In essence, the Court reviewed whether a public authority should consider the public interest in disclosure outweighed the public interest in withholding the requested information for each separate exemption that could apply, and only if all exemptions resulted in the public interest in disclosure being outweighed should the information not be released. The contrary argument was that the public authority should consider the aggregate public interest, was dismissed by the Court. In reviewing the IPRs exemptions, the Administrative Court considered that the Tribunal could consider whether the use of the data to be disclosed (i.e. for epidemiological research) was in the public interest, even if that meant a breach of the operators’ rights. This was important as strictly a person requesting information under the EIRs or FOIA does not have to state a purpose (however, I have always advised applicants that the purpose should be stated, for exactly this reason – it colours the public interest test – see the chapter I have co-authored in the Law Society’s Freedom of Information Handbook).

Appeal to the Court of Appeal

The Court of Appeal reviewed the Administrative Court’s view on aggregation of public interest, and determined that the Administrative Court had erred in not following this approach. However, the Court of Appeal agreed that the purpose to which the data disclosed was to be put could be considered in any public interest test.

Supreme Court

The issue for the Supreme Court was therefore the same: how should a public authority apply more than one exemption? Is each exemption to be addressed separately, by considering whether the interest served by it is outweighed by the public interest in disclosure? Or can the interests served by different exemptions be combined and then weighed against the public interest in disclosure? The Supreme Court quickly realised that this involved discerning what was intended by Directive 2003/4/EC, and so made the following reference to the CJEU:

Under Council Directive 2003/4/EC, where a public authority holds environmental information, disclosure of which would have some adverse effects on the separate interests served by more than one exception (in casu, the interests of public security served by article 4(2(b) and those of intellectual property rights served by article 4(2)(e)), but it would not do so, in the case of either exception viewed separately, to any extent sufficient to outweigh the public interest in disclosure, does the Directive require a further exercise involving the cumulation of the separate interests served by the two exceptions and their weighing together against the public interest in disclosure?

Advocate General Opinion

Julianne Kokott has carried out her usual thorough analysis, and has suggested to the CJEU that they answer:

Under Council Directive 2003/4/EC on public access to environmental information, where a public authority holds environmental information, disclosure of which would have some adverse effects on the separate interests served by more than one exception under Article 4(2), but it would not do so, in the case of either exception viewed separately, to any extent sufficient to outweigh the public interest in disclosure, the directive requires a further exercise involving the cumulation of the separate interests served by the two exceptions and their weighing together against the public interest in disclosure.

Decision of the CJEU

Perhaps not surprisingly, the CJEU has followed the conclusion of the Advocate General. The judgement is short and to the point, so I will not repeat the analysis of Article 4(2) of Directive 2003/4/EC made by the CJEU to enable them to come to this conclusion (see the link above).

As a result of the decision, the matter will be referred back relatively quickly to the First-Tier Tribunal (Information Rights), where I expect the cumulation of exemption interests will be found to outweigh the public interest in disclosure, so that Sitefinder will be reprieved.

What would you do if you were approached by a newspaper that wished to publish an article about your child’s illness? Assuming you do not have the resources to instruct lawyers specialising in privacy and data protection to consider obtaining an injunction, you could look at a little-known and rarely-exercised right in the Data Protection Act 1998.

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply—

(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b) in such other cases as may be prescribed by the Secretary of State by order.

In the scenario being dealt with here, none of the conditions in subsection (2) apply. As this right is rarely exercised, even less made the subject of any court proceedings, there is no judicial interpretation of what is required to meet the “substantial” level or where the line may be drawn between warranted and “unwarranted” for section 10. However, it is a cost-free approach to issue a section 10 notice. As this is a fundamental right under the Act, any recipient data controller ignoring it risks court action, or more likely, enforcement action by the Information Commissioner following a complaint by a person issuing the notice that their rights were ignored.

Although the Information Commissioner’s guidance on when he would be minded to issue a monetary penalty is not completely clear on this point, it is at least arguable that any denial of a section 10 right would be a severe breach of the Data Protection Act. As a severe breach, it could be the subject of a monetary penalty notice, which can include a fine of up to £500,000. The risk of being subject to a £500,000 fine, as well as the reputational fall out for a newspaper, might be enough to make a publisher think twice.

There is also the question of the lawfulness of the newspaper publishing the story concerning an individual’s medical condition. In short, the publication is not covered by any of the lawful purposes for which medical data (included in the definition of “sensitive personal data” in the Act) may be processed. The only conceivable lawful purpose is contained in a statutory instrument, the Data Protection (Processing of Sensitive Personal Data) Order 2000. In particular, paragraph 3 of the Schedule to the Order states:

3. The disclosure of personal data –

(a) is in the substantial public interest;

(b) is in connection with –

(i) the commission by any person of any unlawful act (whether alleged or established),

(ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or

(iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);

(c) is for the special purposes as defined in section 3 of the Act; and

(d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.

It is difficult to make a convincing case that knowledge of a child’s medical condition is in the substantial public interest for paragraph 3(a). Only the case of Leo Blair and MMR comes to mind as a possible example. That, however, leaves the other conditions in paragraph 3 unfilled for this to be a lawful purpose.

However, newspapers can seek to apply the exemption at section 32 of the Act for journalism, literature or art. The newspaper would have to be clear that publication was in the public interest (section 32(3)) and within the scope of the Press Complaints Code (a designated code for the purposes of section 32 under the Data Protection (Designated Codes of Practice) Order 2000 – it is an anomaly that the sensitive personal data Order described above imposes a “substantial public interest” test in connection with journalism (the “special purpose” in paragraph 3(c)), whereas section 32 does not). Note paragraph 6(v) of the current edition of the PCC Code to Editors, and point 5 of the note on the public interest test to be applied in matters concerning children:

v) Editors must not use the fame, notoriety or position of a parent or guardian as sole justification for publishing details of a child’s private life.

5. In cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child.

Clearly, the section 32 exemption must be one being relied upon by News International in connection with the publication of Fraser Brown’s medical condition. It is disappointing, but perhaps not surprising in the circumstances of the relationship between No 10 and News International in 2006, that no complaint was made about the Fraser Brown report that would have given the Information Commissioner’s Office or a court a chance to describe the limits of section 32, or to resolve the conflicting public interest tests in section 32 and the sensitive personal data Order.

If you consider that section 32 gives newspapers too much leeway, then note that the exemption does not cover section 13 of the Act. In particular, section 13(2)(b) provides, in effect, that “an individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if… the contravention relates to the processing of personal data for the [purposes of journalism]”. It would therefore be the case that if the Information Commissioner, as a result of a complaint, or a court ruled that the newspaper had not published (sensitive) personal data in the public interest, then the individual concerned could sue the newspaper for distress. This would be in addition to any monetary penalty imposed by the Information Commissioner for the contravention.

To date only Naomi Campbell has obtained such distress damages (Campbell v Mirror Group Newspapers [2002] EWHC 499 (QB), subsequently upheld by the House of Lords [2004] UKHL 22). Although not clearly identified as such, it would seem that these damages amounted to a modest £1,000, out of a total award of £3,500 damages under section 13 of the Act and for breach of confidentiality. The low level of these damages has itself probably deterred section 13 actions against newspapers.

Many questions are being asked about the fourth estate in the aftermath of the News of the World hacking scandal. However, few seem to considering the potential that reactionary measures adopted as a result of widespread illegality by journalists may make genuine investigative journalism that is conducted in the public interest impossible. In particular, the Information Commissioner’s 2006 report into the illegal sale of personal data, What Price Privacy?, is getting the attention it should have received 5 years ago. However, the reports of the number of incidences of sale of personal data to journalists fails to note that some of this activity could have been lawful.

There is already an exemption from the scope and reach of the Data Protection Act 1998 to cover genuine journalism. Section 32(1) of the Act states:

(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

“Special purposes” means any one or more of for purposes of journalism, artistic purposes, and literary purposes (Section 3 of the Act).

The main criminal offence being committed by phone hackers under the Data Protection Act 1998 is the unlawful obtaining of individuals’ phone numbers and PINs for voice mail boxes – the actual interception of communications is either an offence under the Regulation of Investigatory Powers Act 2000 or the Computer Misuse Act 1990. In particular, section 55 of the Act states:

55 Unlawful obtaining etc. of personal data.

(1) A person must not knowingly or recklessly, without the consent of the data controller—

(a) obtain or disclose personal data or the information contained in personal data, or

(b) procure the disclosure to another person of the information contained in personal data.

(2) Subsection (1) does not apply to a person who shows—

(a) that the obtaining, disclosing or procuring—

(i) was necessary for the purpose of preventing or detecting crime, or

(ii) was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b) that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c) that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d) that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3) A person who contravenes subsection (1) is guilty of an offence.

(4) A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5) A person who offers to sell personal data is guilty of an offence if—

(a) he has obtained the data in contravention of subsection (1), or

(b) he subsequently obtains the data in contravention of that subsection.

(6) For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7) Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8) References in this section to personal data do not include references to personal data which by virtue of section 28 or 33A are exempt from this section.

It is therefore clear that there is a public interest defence to the section 55 criminal offence, at section 55(2)(d), that would enable the techniques being used by News of the World and others to continue to be used for legitimate investigative journalism.

I therefore consider that in any consideration of greater regulation of the press, consideration should be given to providing for public interest defences for the purposes of journalism in the 1990 and 2000 Acts. I also agree that the maximum penalty of £5,000 for a breach of section 55 is lamentable. It was in 2006, it clearly is in 2011.

I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.

Together with my colleague Mark Alsop, we finally went with this:

When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.

Regrettably, this is rather difficult to do for the new law on the use of cookies, which comes into effect on 26 May 2011.

A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website. They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things. A website may place several cookies onto a user’s computer.

The current law requires users to be given information about the use of cookies, which information must include details on how the user can opt out of cookies’ use – this is contained in the Privacy and Electronic Communications (EC Directive) Regulations 2003. As their name implies, the Regulations implement a European Union Directive (Directive 2002/58/EC). Compliance has usually involved no more than including a statement in website terms and conditions or privacy policy on the use of cookies. The law applies not just to cookies, but also to alternatives that perform similar functions, such as tracking by IP address, hidden form fields and flash cookies – all covered by the word “cookies” for the purposes of this note.

This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.

The change is practically difficult to implement without spoiling the user’s browsing experience. It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.

The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.

The Information Commissioner’s Office (ICO) has recently published guidance on the new cookie law (click here), but this does not give any definitive, practical assistance in compliance. Instead, it recognises that the new law is difficult to implement. It merely advises that companies review their use of cookies and consider how they may be able to obtain the consent called for by the new regulation.

We can therefore only repeat the ICO advice. Audit your use of cookies and consider how intrusive your use of the cookies is. Then see how best you can get (and record) users’ consent. The guide suggests methods involving features such as pop ups, terms and conditions and settings, i.e. instances asking users for consent at the same time as they anyway have to make choices in relation to the website. These methods will of course not always be available. The guidance does acknowledge that it will be particularly challenging to obtain consent in relation to “third party cookies” (which allow third parties to set cookies on a user’s computer).

There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent. This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.

Two final observations. First, the ICO expects websites to deal with the more intrusive cookies first. Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued. Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.

The ICO states that further guidance will be issued “if appropriate, in future”.